[ On Sunday, July 9, 2000 at 15:59:51 (-0400), Derrick wrote: ]
Subject: RE: "top secret" security does require blocking SSH
Blocking SSH is a weak solution. Many places I know allow telnet through their firewalls and block ssh.
Now that's truly insane. I can't even begin to imagine how a security policy could be worded such that this would be the outcome in implementation!
Since I never allow telnet on any of my servers I run SSH on both ports 22 and 23 so that these people can still reach our servers. Unless you are running an application firewall that explicitly checks the telnet protocol then you are not safe.
Hmmm.... as much as I do like to force protocols to run on their registered ports, running sshd on port 23 in some situations might indeed be better than nothing....
The same ideas have been around for years on port 80. MS DCOM Tunneling is one of the worst allowing full application client to server communication in packets wrapeed by http headers so that they can traverse your proxy or firewall's on port 80. I am still waiting for the trojan that makes use of these features and the intrinsic MS Dcom security model.
As I mentioned to a friend just yesterday, I have seen IP-over-email demonstrated and I've even heard tell of someone doing it with UUCP as the mail transport.... ;-) Now that the Church Of Instantaneous Propogation has almost won its final battle I'd even bet IP-over-email is faster than bare telnet over some dialups! ;-) -- Greg A. Woods +1 416 218-0098 VE3TCP <gwoods@acm.org> <robohack!woods> Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>